Instead of patching, Microsoft limits video codec in Windows

On this month's Patch Tuesday, Microsoft issued a Security Advisory in which it detailed the steps it was taking to fix vulnerabilities in the Indeo codec, which compresses and decompresses video data, found in supported editions of Windows 2000, Windows XP, and Windows Server 2003. The newly discovered vulnerability in the 17-year-old video codec (Intel introduced it in 1992) could allow remote code execution when opening specially crafted media content. Thus, Microsoft released a fix which blocks the codec from being launched in Internet Explorer or Windows Media Player, and also removes the ability for it to be loaded when browsing the Internet with any other application. The update is being offered to older operating systems automatically via Windows Update.

This is a very unusual solution, which Microsoft justifies in the name of security. Deprecating vulnerable code is "a rare occurrence, as it is usually challenging to remove functionally from products that customers are currently using without affecting existing applications," a Microsoft spokesperson confirmed with Ars. "In this case, we created defense-in-depth changes that reduce the attack surface and removed the functionality of this codec rather than addressing individual vulnerabilities because it provided more comprehensive protection for an older, less used codec."

The security advisory further explains how the update removes the most common remote attack vectors. The fix only allows applications to use the Indeo codec when the media content is from the local system or from the intranet zone, meaning games or other applications that leverage the codec locally can still function correctly. At the same time, Internet Explorer, Windows Media Player, or any other program that accesses the Internet cannot launch anything that uses the codec. Microsoft had to make sure that the codec would not be missed when visiting legitimate websites, and could still be used in corporate applications.

The advisory also notes that the update was not issued for 32-bit and 64-bit editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 since these operating systems already bar the codec from loading. What's really curious here is that it took Redmond this long to update older operating systems to the same level of security by blocking these known attack vectors to protect users from being duped into visiting a malicious site. To completely remove all attack vectors, Microsoft explains that the codec can be deregistered completely, if the user wishes to do so.

Some poor soul who doesn't even know what a video codec is will try to install some ancient game on their machine using some trick carefully written down by a more tech-savvy friend who died a few years ago because he finally got around to it and be very upset that the video his dead friend told him about that was just too cool to pass up even though he put it off all this time doesn't work.

Originally posted by DosFreak:Alot of games use the Indeo codec. Not sure how this affects them, haven't done any testing yet.

This is explained in the article.......

Statements in articles don't mean anything to me.

"The fix only allows applications to use the Indeo codec when the media content is from the local system or from the intranet zone, meaning games or other applications that leverage the codec locally can still function correctly."

As a Mac user, I've not been able to play any Indeo-encoded video content since the OS X switch back in 2001, when Apple and Intel chose to drop playback support for the format. I have missed it exactly one time many years ago, and even then only slightly (didn't really care about the content). Good riddance to old cruft.

So.. Windows Media Player won't play videos using this codec.. even if it's a video on the local system?

So.. how would one go about playing any of these videos? (I wouldn't be surprised if I have some videos from way back that use it.. wouldn't want to not be able to view them, should I ever so choose..)

Perhaps next "Patch Tuesday," MS could do the world a favor and apply the mother of all security fixes. Simply download and execute a simple routine that simply erases Windows from the boot drive. No more worms, viruses or vulnerabilities.

Seriously, if MS really want to maintain their predominance, they best either piss or get off the pot. They need to design a new operating system from the ground up, not just patch, prune, and graft, which has been the modus operandi since NT 3.51. Given the existence of efficient hardware and software virtualization today, it would be fairly trivial to equip the new OS with a compatibility layer that would invisibly boot a copy of Win7 or XP to run legacy programs. MS could then give venders 5 to 7 years to rewrite their code for the new OS, and phase out the compatibility layer accordingly. Apple has done this three times in the last 15 years (Motorola to PowerPC on the old Mac OS; the transition from OS 9 to OS X; the transition from PowerPC to Intel under OS X) and each time come out ahead. Surely, with its vastly greater resources, MS could do the same. Windows has gotten to the point where radically new directions in operating system design are no longer feasible within the existing code base.

Many VJs still use the Indeo codec. We have tested many current codecs and cannot get as good a result with a small file-size, good scalability, scratchability (being able to scrub backwards/forwards without glitching) and low resource requirements (as we use real-time effects).

It's been annoying that Indeo stopped being supported on Macs, as we have to recode all our clips to use on Macs when required - hence we regularly test other codecs hoping to find an ideal cross-platform option, so far with no success.

To get equivalent quality/functionality with other codecs, the filesize is generally about 3-5 times larger. Which when you are trying to fit 30,000 clips on a portable drive makes a big difference. I know there aren't many people with those requirements, but there are still some of us.

A cross-platform codec was even developed specifically for VJ use this year, but on a PC, the Indeo still outperforms it.

So, much as we would love to replace Indeo, for our purposes there is still nothing that works as well. Very annoying that Microsoft are trying to kill it.

Originally posted by WiseWeasel:As a Mac user, I've not been able to play any Indeo-encoded video content since the OS X switch back in 2001, when Apple and Intel chose to drop playback support for the format. I have missed it exactly one time many years ago, and even then only slightly (didn't really care about the content). Good riddance to old cruft.

Indeo works in Classic Quicktime on PPC Macs (perfectly smooth the one time I had to do it - hate you, Mathworks) and in VLC on x86. The only hole then is in Leopard on PPC.

Note that Intel had offloaded Indeo by 2001, and it was the new owner that refused to update the support.

Originally posted by willdenow:Perhaps next "Patch Tuesday," MS could do the world a favor and apply the mother of all security fixes. Simply download and execute a simple routine that simply erases Windows from the boot drive. No more worms, viruses or vulnerabilities.

Seriously, if MS really want to maintain their predominance, they best either piss or get off the pot. They need to design a new operating system from the ground up, not just patch, prune, and graft, which has been the modus operandi since NT 3.51. Given the existence of efficient hardware and software virtualization today, it would be fairly trivial to equip the new OS with a compatibility layer that would invisibly boot a copy of Win7 or XP to run legacy programs. MS could then give venders 5 to 7 years to rewrite their code for the new OS, and phase out the compatibility layer accordingly. Apple has done this three times in the last 15 years (Motorola to PowerPC on the old Mac OS; the transition from OS 9 to OS X; the transition from PowerPC to Intel under OS X) and each time come out ahead. Surely, with its vastly greater resources, MS could do the same. Windows has gotten to the point where radically new directions in operating system design are no longer feasible within the existing code base.

Spoken like someone who doesn't know an OS from a JPEG. Apple reinvented their OS, because they had to, they failed on updating classic to something modern, so they brought a new OS and emulated it, they switched to intel, because they made the mistake of choosing IBM's cpu in the first place. You see this, through your apple colored glasses, as great innovation and market leadership, I see it for what it is, a bunch of piss poor decisions and inability. When MS makes the same mistakes, they'll need to go through the same process, until then they're fine updating an OS that works, and runs on a cpu arch. that isn't fail.

People like you advocate MS making an OS from scratch and emulating Windows for one reason, you know that Windows users would revolt and abandon MS and their OS if all their apps and games were emulated (look at the latest parellels and fusion reviews on this site for Mac, miserable game and app experiences are typical years after they've been trying this stuff, if it were MS they'd lose 90% of their customers) - we're not stupid we know the game.

Apple reinvented their OS, because they had to, they failed on updating classic to something modern, so they brought a new OS and emulated it, they switched to intel, because they made the mistake of choosing IBM's cpu in the first place. You see this, through your apple colored glasses, as great innovation and market leadership, I see it for what it is, a bunch of piss poor decisions and inability.

OK, Indeo is antiquated and, except for a small niche, who really cares? I agree with other posts about the need to go a step further and remove more outdated codecs.

I don't agree with Agressiva's assessment of Apple. In Apple's defense, OS 9 had ran its course and it was time for a ground up rebuild. To even broach the topic of "why didn't Apple update OS 9 and modernize Classic" is a page right out of MS's playbook. MS couldn't do a ground up rebuild of Windows even if they wanted to. The APIs are too deeply embedded in an effort to maintain backward compatibility.

Over the last two decades Apple has been more adept at innovating new technologies, products, and features while MS has simply thrown money at their marketing needs and purchased whatever technology they needed. I don't drink anyone's Kook-Aid, but I think credit should be given where it's due.

Don't some games rely on that? I mean maybe not anything super recent, but I'm thinking they did. (Personally I like when stuff relies on as little external software as possible, for exactly this reason.)

Originally posted by d_jedi:So.. Windows Media Player won't play videos using this codec.. even if it's a video on the local system?

So.. how would one go about playing any of these videos? (I wouldn't be surprised if I have some videos from way back that use it.. wouldn't want to not be able to view them, should I ever so choose..)

You might be able to use something like Media Convert to convert old videos to a newer format:

Originally posted by cowhow:Over the last two decades Apple has been more adept at innovating new technologies, products, and features while MS has simply thrown money at their marketing needs and purchased whatever technology they needed. I don't drink anyone's Kook-Aid, but I think credit should be given where it's due.

Um, [citation needed].

quote:

In Apple's defense, OS 9 had ran its course and it was time for a ground up rebuild. To even broach the topic of "why didn't Apple update OS 9 and modernize Classic" is a page right out of MS's playbook. MS couldn't do a ground up rebuild of Windows even if they wanted to. The APIs are too deeply embedded in an effort to maintain backward compatibility.

Apple's "new codebase" is NeXTSTEP, an OS spearheaded by Steve Jobs (after he was removed from Apple) and saw its' first release in 1989. A more apt comparison is to Windows NT, first released in 1993, which eventually became the codebase for Windows XP and later versions.

It's interesting to note that large parts of Windows Vista, including the desktop compositor, the network stack and the audio stack, were rewritten. Obviously that "deeply embedded" API wasn't holding them back as much as you think.

Those who fail history...

quote:

Originally posted by d_jedi:So.. Windows Media Player won't play videos using this codec.. even if it's a video on the local system?

So.. how would one go about playing any of these videos? (I wouldn't be surprised if I have some videos from way back that use it.. wouldn't want to not be able to view them, should I ever so choose..)

People need to read the article more carefully. It states that this is only for remote videos, and local content will be able to be played fine.